Powershell check_ncpa - unable to get service from remote co

[Keystone]

Hi ,

I wrote a powershell script for windows failover cluster monitoring. On which i have a scenario where i need to check for a running service on all the cluster nodes.

when running my script from Nagios, the script only fetches the service on the current node where the check_ncpa command runs, and it fails to get details on other clusternode

i am using "Get-Service -ComputerName" to do this and it fails running from Nagios. Should i need to do a enter-PSsession to do this ? why my local account could connect remotly but not when called from nagios?

My Powershell function look like this

Code: Select all

function GetServiceStatus {
    param (
        $servicename  #"Microsoft iSCSI Initiator Service" , "NCPA Listener - ncpalistener"
    )
    try {
        $servicename = $servicename -split "," -replace('"',"") | % { $_.Trim() } | where { $_ } |  select -Unique
        if ($servicename.Count -gt 0) {
            foreach ($node in $ownernode.Keys) {
                $servicename | % { If ($(Get-Service -ComputerName $node -Name $_ ).Status -eq "Running") 
                    { $running_services[$_] += ",$node" } }
            }
        }
    }
    catch {
        Write-Host "UnKnown: Something went wrong in GetServiceStatus"
        $Global:returncode = 3
    }
}

[Running locally my function finds the services on both cluster nodes]
.\winClusterHealth.ps1 -failover_retention 11 -services_onallnodes "Microsoft iSCSI Initiator Service,NCPA Listener - ncpalistener"

Microsoft iSCSI Initiator Service {clusternode1, clusternode2}
NCPA Listener - ncpalistener {clusternode1, clusternode2}

when executing the script locally as my user, i can get the service running on my local machine and on all the cluster nodes,

but when i use check_ncpa.py to call my script as below from my nagios server

Code: Select all

./check_ncpa.py -H 'clusternode1'  -t 'token' -P 5693  -M 'plugins/winClusterHealth.ps1' -a '-services_onallnodes "Microsoft iSCSI Initiator Service,NCPA Listener - ncpalistener"' 

the script only gets the service of the 'clusternode1' not from other clusternodes and throws the error

[Running from nagios it only fetches the service from the clusternode1]
./check_ncpa.py -H ctlrck-vdwn001.wsgc.com -t 'g8fwRYLrbh6Zf' -P 5693 -M 'plugins/winClusterHealth.ps1' -a '-failover_retention 1400 -services_onallnodes "Microsoft iSCSI Initiator Service,NCPA Listener - ncpalistener"'

Microsoft iSCSI Initiator Service clusternode1
NCPA Listener - ncpalistener clusternode1


Get-Service : Cannot find any service with service name 'Microsoft iSCSI
Initiator Service'.
At C:\Program Files (x86)\Nagios\NCPA\plugins\winClusterHealth.ps1:77 char:42
+ $servicename | % { If ($(Get-Service -ComputerName $node
-Name $ ...
+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Microsoft iSCSI Initiator Servi
ce:String) [Get-Service], ServiceCommandException
+ FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.
Commands.GetServiceCommand

Get-Service : Cannot find any service with service name 'NCPA Listener -
ncpalistener'.
At C:\Program Files (x86)\Nagios\NCPA\plugins\winClusterHealth.ps1:77 char:42
+ $servicename | % { If ($(Get-Service -ComputerName $node
-Name $ ...
+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (NCPA Listener - ncpalistener:St
ring) [Get-Service], ServiceCommandException
+ FullyQualifiedErrorId : NoServiceFoundForGivenName,Microsoft.PowerShell.
Commands.GetServiceCommand

[mbellerue]

The very first thing that comes to mind is that NCPA installs and runs under the local system account of a Windows machine. Local accounts from one Windows machine do not have access to login and view services of another Windows machine. When you run your Powershell script yourself, it's sending your credentials between each computer in the cluster.

In order to get this to work, you would want to have the NCPA service run with a service account created in Active Directory.

[Keystone]

Thank you for the quick response,

i tried changing the NCPA Listener service from Local System to My user name on the AD , it failed with "Access is denied"

[mbellerue]

If the NCPA Listener service failed to start up, one reason may be because your login isn't authorized under Logon As A Service. That can be set locally to the one server, but most best practices will have you modify that in a group policy object. Then after that, the service account must also have a certain level of permissions over the server, so that it can listen on a specific network port. I don't know what those permission levels are, unfortunately.

Going back to your original post, using PSSession might be a way to work around this, as it looks like there are ways to specify authentication methods. But I'm not very well versed in Powershell sessions, and don't know the capabilities or limitations.

[Keystone]

Thanks for your suggestions,

We have created a service account and made the NCPA services run with that account, And we updated the Group policy to give local admin privileges in our dev servers. And we were able to get-service details of the remote servers that has NCPA running as the same Service account.

[mbellerue]

Excellent, glad to hear it's working! I will lock the thread, unless there's anything else you needed.